SSH (via libxz) Backdoor Discovered
Malicious backdoor discovered in lib xz which compromises OpenSSH.
A malicious backdoor has been discovered in the libxz compression library which is widely used in linux distributions. The supply chain attack results in compromising OpenSSH.
Fortunately, it appears to have been caught relatively early and most Linux distributions are not affected (still on earlier versions of libxz). Version 5.6 is affected. Earlier versions are not.
The command
xz -V
will show which version is in use on your system.
Worth running the same command on your Mac if you’re using homebrew also.
The vulnerability utilises a well obfuscated supply chain attack and the attack vector itself is very interesting. More details can be found here
or Low Level Learning has an interesting video on it if you prefer
